Transparent sensitive data protection enables you to find all table columns in a database that hold sensitive data. You can create policies that protect this data. You can use transparent sensitive data production with Oracle Data Redaction, Oracle Virtual Private Database, unified auditing, fine-grained auditing, and Transparent Data Encryption column encryption.
Topics:
General Steps for Using Transparent Sensitive Data Protection
Use Cases for Transparent Sensitive Data Protection Policies
Privileges Required for Using Transparent Sensitive Data Protection
How a Multitenant Environment Affects Transparent Sensitive Data Protection
Using the Predefined REDACT_AUDIT Policy to Mask Bind Values
Using Transparent Sensitive Data Protection Policies with Data Redaction
Using Transparent Sensitive Data Protection Policies with Oracle VPD Policies
Transparent sensitive data protection (TSDP) enables you to quickly find all table columns in a database that hold sensitive data (such as credit card or Social Security numbers), classify this data, and then create a policy that protects this data as a whole for a given class.
The TSDP policy then protects the sensitive data in these table columns by using either Oracle Data Redaction or Oracle Virtual Private Database settings. The TSDP policy applies at the column level of the table that you want to protect, targeting a specific column data type, such as all NUMBER
data types of columns that contain credit card information. You can create a uniform TSDP policy for all of the data that you classify, and then modify this policy as necessary, as compliance regulations change. Optionally, you can export the TSDP policies for use in other databases.
The benefits of TSDP policies are enormous: You easily can create and apply TSDP policies throughout a large organization with numerous databases. This helps auditors greatly by enabling them to estimate the protection for the data that the TSDP policies target.
To use TSDP with Oracle Data Redaction, you must follow a set of general steps.
Create a sensitive type to classify the types of columns that you want to protect.
For example, you can create a sensitive type for classify all Social Security numbers or credit card numbers. To create the sensitive type, either use the DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE
PL/SQL procedure or use an Enterprise Manager Cloud Control Application Data Model. To add multiple sensitive types in one operation from an Application Data Model, you can use the DBMS_TSDP_MANAGE.IMPORT_SENSITIVE_TYPES
procedure.
Identify a list of sensitive columns that are associated with the sensitive types.
To determine and generate this list, you can use either of the following methods:
The DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN
procedure individually identifies sensitive columns.
An Oracle Enterprise Manager Cloud Control Application Data Model enables you to identify a group of sensitive columns. It then prepares this list of sensitive columns in XML format, which you then import into your database.
If you used an Application Data Model for Step 2, then import the list of sensitive columns from the Application Data Model into your database by using the DBMS_TSDP_MANAGE.IMPORT_DISCOVERY_RESULT
procedure.
Create the TSDP policy by using the DBMS_TSDP_PROTECT.ADD_POLICY
procedure within an anonymous block that defines the Data Redaction or Virtual Private Database settings that you want to use.
Associate the TSDP policy with one or more sensitive types by using the DBMS_TSDP_PROTECT.ASSOCIATE_POLICY
procedure.
Enable the TSDP policy protections by using the DBMS_TSDP_PROTECT.ENABLE_PROTECTION_SOURCE
, DBMS_TSDP_PROTECT.ENABLE_PROTECTION_COLUMN
, or the DBMS_TSDP_PROTECT.ENABLE_PROTECTION_TYPE
procedure.
Optionally, export the TSDP policy to other databases by using Oracle Data Pump to perform a full database export. (You cannot individually export TSDP policies.)
Transparent sensitive data protection has several benefits.
You configure the sensitive data protection once, and then deploy this protection as necessary. You can configure transparent sensitive data protection policies to designate how a class of data (for example, credit card columns) must be protected without actually having to specify the target data. In other words, when you create the transparent sensitive data protection policy, you do not need to include references to the actual target columns that you want to protect. The transparent sensitive data protection policy finds these target columns based on a list of sensitive columns in the database and the policy's associations with the specified sensitive types. This can be useful when you add more sensitive data to your databases after you have created the transparent sensitive data protection policies. After you create the policy, you can enable protection for the sensitive data in a single step (for example, enable protection based on the entire source database). The sensitive type of the new data and the sensitive type and policy associations determine how the sensitive data is protected. In this way, as new sensitive data is added, you do not need to configure its protection, as long as it meets the current transparent sensitive data protection policy's requirements.
You can manage protection of multiple sensitive columns. You can enable or disable protection for multiple sensitive columns based on a suitable attribute (such as the source database of the identification, the sensitive type itself, or a specific schema, table, or column). This granularity provides a high level of control over data security. The design of this feature enables you to manage data security based on specific compliance needs for large data sets that fall under the purview of these compliance regulations. You can configure data security based on a specific category rather than for each individual column. For example, you can configure protection for credit card numbers or Social Security numbers, but you do not need to configure protection for each and every column in the database that contains this data.
You can protect the sensitive columns identified using the Oracle Enterprise Manager Cloud Control Application Data Modeling (ADM) feature. You can use the Cloud Control ADM feature to create sensitive types and discover a list of sensitive columns. Then you can import this list of sensitive columns and their corresponding sensitive types into your database. From there, you can create and manage transparent sensitive data protection policies using this information.
To use transparent sensitive data protection, you must have the EXECUTE
privilege for several PL/SQL packages.
DBMS_TSDP_MANAGE
, which enables you to import and manage sensitive columns and sensitive types into your database. The procedures in this package execute with invoker's rights. Typically, an application database administrator will be granted privileges for this package.
DBMS_TSDP_PROTECT
, which you use to create the TSDP policy. The procedures in this package execute with invoker's rights. Typically, a security database administrator will be granted privileges for this package.
DBMS_REDACT
, if you plan to create Data Redaction policies. Typically, a security database administrator will be granted privileges for this package.
DBMS_RLS
, if you plan to incorporate Oracle Virtual Private Database functionality into your TSDP policies. Typically, a security database administrator will be granted privileges for this package.
For better separation of duty, these packages are designed so that either an application database administrator has control over one area of the TSDP policy creation (as in the case of the DBMS_TSDP_MANAGE
package) or a security database administrator (for the DBMS_TSDP_PROTECT
, DBMS_REDACT
, and DBMS_RLS
packages).
In a multitenant environment, you can apply TSDP policies to the current PDB only.
You cannot apply them to the entire multitenant container database (CDB).
Before you can create a transparent sensitive data protection policy, you create a sensitive type, find the sensitive columns that must be protected, and then import the sensitive columns from ADM into your database. After you create the policy, you must associate it with a sensitive type and then enable the policy. Optionally, you can import it to other databases.
Step 3: Import the Sensitive Columns List from ADM into Your Database
Step 4: Create the Transparent Sensitive Data Protection Policy
Step 6: Enable the Transparent Sensitive Data Protection Policy
The sensitive type is a class of data that you designate as sensitive. For example, you can create a credit_card_type
sensitive type for all credit card numbers.
To create a sensitive type, either create it from an Enterprise Manager Cloud Control Application Data Model or use the DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE
PL/SQL procedure.
To drop a sensitive type, you can use the DBMS_TSDP_MANAGE.DROP_SENSITIVE_TYPE
procedure.
Example 11-1 shows how to create the sensitive type credit_card_num_type
:
Example 11-1 Creating a Sensitive Type
BEGIN DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE ( sensitive_type => 'credit_card_num_type', user_comment => 'Type for credit card columns using a number data type'); END; /
In this example:
sensitive_type
: Create a name that describes the sensitive type that you want to capture. This value is case sensitive, so when you reference it later on, ensure that you use the case in which you created it. You can find existing sensitive types by querying the DBA_SENSITIVE_COLUMN_TYPES
data dictionary view.
user_comment
: Optionally, enter a description for the sensitive type.
See Also:
Oracle Database Testing Guide for detailed information about Application Data Models
Oracle Database PL/SQL Packages and Types Reference information about the DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE
PL/SQL procedure
To identify the columns to protect, based on the sensitive type that you defined in "Step 1: Create a Sensitive Type", you either can use an Enterprise Manager Cloud Control Application Data Model to identify these columns, or you can use the DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN
procedure.
To remove the column from the list of sensitive columns for the database, you can use the DBMS_TSDP_MANAGE.DROP_SENSITIVE_COLUMN
procedure.
Find the sensitive type that you want to use.
For example:
SELECT NAME FROM DBA_SENSITIVE_COLUMN_TYPES; NAME --------------------- credit_card_num_type
Execute the DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN
procedure to associate the sensitive type with a table column. Ensure that you enter the sensitive_type
parameter using the case in which you used to create the sensitive type.
For example:
BEGIN DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN( schema_name => 'OE', table_name => 'CUST_CC', column_name => 'CREDIT_CARD', sensitive_type => 'credit_card_num_type', user_comment => 'Sensitive column addition of credit_card_num_type'); END; /
Next, you are ready to import the sensitive columns list from ADM into your database.
If you had used an Application Data Model to create the list of sensitive columns, then import this list into your database by running the DBMS_TSDP_MANAGE.IMPORT_DISCOVERY_RESULT
procedure.
If you had used the DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN
procedure to identify these columns, then you can bypass this step.
Example 11-2 shows how to import the Cloud Control Application Data Model into the current database.
Example 11-2 Importing a Sensitive Columns List from ADM
BEGIN DBMS_TSDP_MANAGE.IMPORT_DISCOVERY_RESULT ( discovery_result => xml_adm_result, discovery_source => 'ADM_Demo'); END; /
In this example:
discovery_result
refers to the list of sensitive columns and their associated sensitive types. This list is in XML format.
discover_source
refers to the name of the Application Data Model that contains the list of sensitive columns referred by the discovery_result
setting. You can find a list of the Application Data Models from the Data Discovery and Modeling page in Enterprise Manager Cloud Control. (To access this page, from the Enterprise menu, select Quality Management, and then Data Discovery and Modeling. You can find a list of the sensitive columns and their associated types in the Sensitive Columns tab.)
After you have identified the sensitive columns, and if you had used an Application Data Model to create the list of sensitive columns, imported this list into your database, you are ready to create the transparent sensitive data protection policy.
Topics:
About Creating the Transparent Sensitive Data Protection Policy
Setting the Oracle Data Redaction or Virtual Private Database Feature Options
Setting Conditions for the Transparent Sensitive Data Production Policy
To create the transparent sensitive data protection policy, you must configure it for the Virtual Private Database or Oracle Data Redaction settings that you want to use, and then apply these settings to a transparent sensitive data protection policy defined by the DBMS_TSDP_PROTECT.ADD_POLICY
procedure.
This section shows how to configure it for Oracle Data Redaction. (See "Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection" for an example of how you can create a TSDP policy for Virtual Private Database.)
You can create the policy by defining an anonymous block that has the following components:
If you are using Oracle Data Redaction for your policy, a specification of the type of Data Redaction that you want to use, such as partial Data Redaction
If you are using Oracle Virtual Private Database for your policy, a specification of the VPD settings that you want to use
Conditions to test when the policy is enabled. For example, the data type of the column which should be satisfied before the policy can be enabled.
A named transparent sensitive data protection policy to tie these components together, by using the DBMS_TSDP_PROTECT.ADD_POLICY
procedure
After you create the sensitive type, it resides in the SYS
schema.
Example 11-3 shows how to create a transparent sensitive data protection policy that uses a partial number data type-based Data Redaction policy.
If you want to see an example of a similar policy for VPD, see "Step 4: Create and Enable a Transparent Sensitive Data Protection Policy". (You can copy and paste the following text by positioning the cursor at the start of DECLARE
in the first line.)
To create the policy, use the DBMS_TSDP_PROTECT.ADD_POLICY
procedure, as shown in Example 11-3.
Example 11-3 Creating a Transparent Sensitive Data Protection Policy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
DECLARE redact_feature_options DBMS_TSDP_PROTECT.FEATURE_OPTIONS; policy_conditions DBMS_TSDP_PROTECT.POLICY_CONDITIONS; BEGIN redact_feature_options ('expression') := 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') =''APPUSER'''; redact_feature_options ('function_type') := 'DBMS_REDACT.PARTIAL'; redact_feature_options ('function_parameters') := '0,1,6'; policy_conditions(DBMS_TSDP_PROTECT.DATATYPE) := 'NUMBER'; policy_conditions(DBMS_TSDP_PROTECT.LENGTH) := '16'; DBMS_TSDP_PROTECT.ADD_POLICY ('redact_partial_cc', DBMS_TSDP_PROTECT.REDACT, redact_feature_options, policy_conditions); END; / |
In this example:
Line 2: Creates the variable redact_feature_options
, which uses the FEATURE_OPTIONS
data type. See "Setting the Oracle Data Redaction or Virtual Private Database Feature Options" for more information.
Line 3: Creates the variable policy_conditions
, which uses the POLICY_CONDITIONS
data type. See "Setting Conditions for the Transparent Sensitive Data Production Policy" for more information.
Lines 5–8: Writes the Data Redaction policy settings to the redact_feature_option
variable. This example applies the Data Redaction policy to the user APPUSER
and defines the policy as a partial data redaction for number data types. See Oracle Database Advanced Security Guide for information about how the function_parameters
parameter works for this case.
Lines 9–10: Writes the TSDP policy conditions to the policy_conditions
variable (that is, the data type and length) for the protected NUMBER
data type column.
Lines 11–12: Executes the DBMS_TSDP_PROTECT.ADD_POLICY
procedure, which creates the redact_partial_cc
TSDP policy. See "Specifying the DBMS_TSDP_PROTECT.ADD_POLICY Procedure" for more information.
The TSDP feature options describe the Oracle Data Redaction or Virtual Private Database settings that you may want to use for the transparent sensitive data protection policy.
For Data Redaction, define the feature options by using the name redact_feature_options
variable and for the type, you must use the type DBMS_TSDP_PROTECT.FEATURE_OPTIONS
, which is an associative array of the data type VARCHAR2(TSDP_PARAM_MAX
). Initialize these options with the parameter-value pairs that correspond with the DBMS_REDACT.ADD_POLICY
parameters.
For example, to specify a TSDP policy that uses partial Data Redaction, Example 11-3 shows the following parameter-value pair:
redact_feature_options ('function_type') := 'DBMS_REDACT.PARTIAL';
For a partial Data Redaction policy that uses a number data type for the protected column, Example 11-3 specifies the following additional parameter-value pairs:
redact_feature_options ('expression') := 'expression'; redact_feature_options ('function_parameters') := 'values';
See Oracle Database Advanced Security Guide for more information about Data Redaction policy creation parameters.
Similarly, for Virtual Private Database, you use the vpd_feature_options
variable to define the VPD feature options. For example:
vpd_feature_options ('statement_types') := 'SELECT, INSERT, UPDATE, DELETE';
See "DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies" for more information about available VPD parameters.
Optionally, you can specify conditions for the transparent sensitive data protection policy.
However, if you choose to omit conditions, you still must include the following line in the DECLARE
variables. (In this case, the default value for policy_conditions
is an empty associative array.)
policy_conditions SYS.DBMS_TSDP_PROTECT.POLICY_CONDITIONS;
You define the conditions by using the name policy_conditions
for the variable and for the type, you must use type DBMS_TSDP_PROTECT.POLICY_CONDITIONS
, which is an associative array of the data type VARCHAR2(TSDP_PARAM_MAX)
. Ensure that no two conditions are satisfied by a single target sensitive column. The target column's properties should satisfy all the condition properties for the corresponding DBMS_TSDP_PROTECT.FEATURE_OPTIONS
settings to be applied on the column.
Example 11-3 shows the policy conditions as follows:
policy_conditions(DBMS_TSDP_PROTECT.DATATYPE) := 'NUMBER'; policy_conditions(DBMS_TSDP_PROTECT.LENGTH) := '16';
Optionally, you can specify one or more of the following keys for the POLICY_CONDITIONS
settings:
DBMS_TSDP_PROTECT.DATATYPE
enables you to specify a data type.
DBMS_TSDP_PROTECT.LENGTH
enables you to specify a data type length for the DBMS_TSDP_PROTECT.DATATYPE
key.
DBMS_TSDP_PROTECT.PARENT_SCHEMA
enables you to restrict the policy to a specific schema. If you omit this setting, then the policy applies to all schemas in the database.
DBMS_TSDP_PROTECT.PARENT_TABLE
enables you to restrict the policy to a table specified by the DBMS_TSDP_PROTECT.PARENT_SCHEMA
key. If you omit this setting, then the policy applies to all tables within the specified schema.
The DBMS_TSDP_PROTECT.ADD_POLICY
procedure names the transparent sensitive data protection policy and executes settings from the FEATURE_OPTIONS
and POLICY_CONDITIONS
settings.
In the policy, the redact_feature_options
and the policy_conditions
settings work together: When the policy is enabled (using any of the DBMS_TSDP_PROTECT.ENABLE_PROTECTION
* procedures) on the target object, then the redact_feature_options
settings apply only if the corresponding policy_condition
settings are satisfied. You must enter the following parameters:
policy_name
creates a name for the TSDP policy. The name that you enter is stored in the database using the case sensitivity that you used when you created it. For example, if you had entered redact_partial_cc
, then the database stores it as redact_partial_cc
, not redact_partial_cc
.
security_feature
refers to the security feature the TSDP policy will use. Enter DBMS_TSDP_PROTECT.REDACT
to specify Oracle Data Redaction.
policy_enable_options
refers to the variable that you defined for the DBMS_TSDP_PROTECT.FEATURE_OPTIONS
type.
policy_apply_condition
refers to the variable that you defined for the DBMS_TSDP_PROTECT.POLICY_CONDITIONS
type.
Example 11-3 shows the policy set as follows:
DBMS_TSDP_PROTECT.ADD_POLICY('redact_partial_cc', DBMS_TSDP_PROTECT.REDACT, redact_feature_options, policy_conditions);
After you have created the transparent sensitive data protection policy, you can use the DBMS_TSDP_PROTECT.ASSOCIATE_POLICY
procedure to associate the policy with a sensitive type.
Find the sensitive type that you want to use.
For example, to find a list of all sensitive types:
SELECT NAME FROM DBA_SENSITIVE_COLUMN_TYPES ORDER BY NAME; NAME -------------------- credit_card_num_type
Run the DBMS_TSDP_PROTECT.ASSOCIATE_POLICY
procedure to associate the policy with a sensitive column type.
For example:
BEGIN DBMS_TSDP_PROTECT.ASSOCIATE_POLICY( policy_name => 'redact_partial_cc', sensitive_type => 'credit_card_num_type', associate => true); END; /
The following query shows that the credit_card_num_type
is now associated with the redact_partial_cc
policy.
SELECT POLICY_NAME, SENSITIVE_TYPE FROM DBA_TSDP_POLICY_TYPE ORDER BY SENSITIVE_TYPE; POLICY_NAME SENSITIVE_TYPE ----------------- -------------------- redact_partial_cc credit_card_num_type
You can enable the transparent sensitive data protection policy for the current database in a protected source, for a specific table column, or for a specific column type.
Topics:
You can enable transparent sensitive data protection for the current database in a protected source. If you must disable the protection, then you can run the DBMS_TSDP_PROTECT.DISABLE_PROTECTION_SOURCE
procedure.
Run the DBMS_TSDP_PROTECT.ENABLE_PROTECTION_SOURCE
procedure to enable this type of protection.
Example 11-4 shows how to enable transparent sensitive data protection policies for the orders_db
database.
You can enable transparent sensitive data protection for a specific table column. Remember that you can enable only one policy per table. If you must disable the protection, then you can run the DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN
procedure.
Run the DBMS_TSDP_PROTECT.ENABLE_PROTECTION_COLUMN
procedure to enable this type of protection.
Example 11-5 shows how to enable the transparent sensitive data protection policy redact_partial_cc
for a specific table column.
Example 11-5 Enabling TSDP Protection for a Table Column
BEGIN DBMS_TSDP_PROTECT.ENABLE_PROTECTION_COLUMN( schema_name => 'OE', table_name => 'CUST_CC', column_name => 'CREDIT_CARD', policy => 'redact_partial_cc'); END; /
If an ORA-45622: warnings generated during policy enforcement
error appears, then check the configuration of the policy. In this example, the redact_partial_cc
policy is enabled on a column if this column is of the NUMBER
data type and has a length of 16
. Even though the OE.CUST_CC.CREDIT_CARD
column is associated with the redact_partial_cc
policy, the policy is not enabled if this column fails to satisfy the conditions (data type and length).
You can enable transparent sensitive data protection for a specific column type, such as all columns that use the VARCHAR2
data type. If you must disable the protection, then you can run the DBMS_TSDP_PROTECT.DISABLE_PROTECTION_TYPE
procedure.
Run the DBMS_TSDP_PROTECT.ENABLE_PROTECTION_TYPE
procedure to enable this type of protection.
Example 11-6 shows how to enable transparent sensitive data protection for all columns that use the credit_card_num_type
sensitive type.
If you want to export or import the policy to or from another database, then you must use Oracle Data Pump to perform a full export or import of the database that contains the policy.
Remember that the export and import operations apply to the entire database, not just the transparent sensitive data protection policy.
See Also:
Oracle Database Utilities for information about using Oracle Data Pump
Oracle Database Vault Administrator's Guide for information about using Oracle Data Pump in an Oracle Database Vault environment
When you alter a transparent data protection policy, you must define how the Data Redaction settings must change, and then apply these changes to the transparent sensitive data protection policy itself. You can find a list of existing policies and their protection definitions by querying the DBA_TSDP_POLICY_FEATURE
data dictionary view.
To alter a transparent sensitive data protection policy, use the DBMS_TSDP_PROTECT.ALTER_POLICY
procedure.
Example 11-7 shows how to alter an existing transparent sensitive data protection policy.
Example 11-7 Altering a Transparent Sensitive Data Protection Policy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
DECLARE redact_feature_options SYS.DBMS_TSDP_PROTECT.FEATURE_OPTIONS; policy_conditions SYS.DBMS_TSDP_PROTECT.POLICY_CONDITIONS; BEGIN redact_feature_options ('expression') := 'SYS_CONTEXT(''USERENV'',''SESSION_ USER'') =''APPUSER'''; redact_feature_options ('function_type') := 'DBMS_REDACT.PARTIAL'; redact_feature_options ('function_parameters') := '9,1,6'; policy_conditions(DBMS_TSDP_PROTECT.DATATYPE) := 'NUMBER'; policy_conditions(DBMS_TSDP_PROTECT.LENGTH) := '22'; DBMS_TSDP_PROTECT.ALTER_POLICY ('redact_partial_cc', redact_feature_options, policy_conditions); END; / |
In this example:
Line 2: Creates the variable redact_feature_options
, which uses the FEATURE_OPTIONS
data type.
Line 3: Creates the variable policy_conditions
, which uses the POLICY_CONDITIONS
data type.
Lines 5–8: Writes the Data Redaction policy settings to the redact_feature_option
variable. This example applies the Data Redaction policy to the user APPUSER
, defines the policy as a partial data redaction for number data types. See Oracle Database Advanced Security Guide for information about how the function_parameters
parameter works for this case.
Lines 9–10: Writes the TSDP policy conditions to the policy_conditions
variable (that is, the data type and length) for the protected NUMBER
data type column.
Lines 11–12: Executes the DBMS_TSDP_PROTECT.ALTER_POLICY
procedure, which alters the redact_partial_cc
TSDP policy to use the definitions set in the redact_feature_options
and policy_conditions
variables.
You can execute the DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN
procedure to disable one or all transparent sensitive data protection policies.
Query the DBA_TSDP_POLICY_PROTECTION
data dictionary view to find the protected columns and their associated transparent sensitive data protection policies.
For example:
SELECT COLUMN_NAME, TSDP_POLICY FROM DBA_TSDP_POLICY_PROTECTION WHERE TABLE_NAME = 'CUST_CC'; COLUMN_NAME TSDP_POLICY ------------ ------------------ CREDIT_CARD redact_partial_cc
Run the DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN
procedure.
For example, to disable the redact_partial_cc
policy on the CREDIT_CARD
column of the CUST_CC
table:
BEGIN DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN( schema_name => 'OE', table_name => 'CUST_CC', column_name => 'CREDIT_CARD', policy => 'redact_partial_cc'); END; /
You can use the %
wildcard in this procedure to specify multiple items. For example, to disable protection for any columns that begin with CREDIT
, you could enter the following:
BEGIN DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN( schema_name => 'OE', table_name => 'CUST_CC', column_name => 'CREDIT%', policy => 'redact_partial_cc'); END; /
To disable all transparent sensitive data protection policies for a table, you can omit the policy
parameter. For example:
BEGIN DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN( schema_name => 'OE', table_name => 'CUST_CC', column_name => '%'); END; /
You can drop an entire transparent sensitive data protection policy, or you can drop a condition-enable-options combination from the policy. If the policy only has one condition-enable-options combination, then Oracle Database drops the entire policy. You do not need to disable a policy before dropping it, but you do need to drop its associated sensitive column first, then its sensitive type.
Query the POLICY_NAME
column of the DBA_TSDP_POLICY_FEATURE
data dictionary view to find the policy that you want to drop.
SELECT POLICY_NAME FROM DBA_TSDP_POLICY_FEATURE; POLICY_NAME ----------------- redact_partial_cc
Remember that you must be granted the SELECT_CATALOG_ROLE
role to query the transparent sensitive data protection data dictionary views.
Find the sensitive column that is associated with this policy.
For example:
SELECT COLUMN_NAME FROM DBA_TSDP_POLICY_PROTECTION WHERE TSDP_POLICY = 'redact_partial_cc'; COLUMN_NAME ----------------- CREDIT_CARD
Drop this sensitive column.
For example:
BEGIN DBMS_TSDP_MANAGE.DROP_SENSITIVE_COLUMN ( schema_name => 'OE', table_name => 'CUST_CC', column_name => 'CREDIT_CARD'); END; /
Find the sensitive type that is associated with this policy.
For example:
SELECT SENSITIVE_TYPE FROM DBA_TSDP_POLICY_TYPE WHERE POLICY_NAME = 'redact_partial_cc'; SENSITIVE_TYPE -------------------- credit_card_num_type
Drop this sensitive type.
For example:
BEGIN DBMS_TSDP_MANAGE.DROP_SENSITIVE_TYPE ( sensitive_type => 'credit_card_num_type');END; /
Run the DBMS_TSDP_PROTECT.DROP_POLICY
procedure to drop the policy.
For example, to completely drop the policy:
BEGIN DBMS_TSDP_PROTECT.DROP_POLICY( policy_name => 'redact_partial_cc'); END; /
To drop the default condition-enable options combination from the policy:
DECLARE policy_conditions DBMS_TSDP_PROTECT.POLICY_CONDITIONS; BEGIN DBMS_TSDP_PROTECT.DROP_POLICY ('redact_partial_cc', policy_conditions); END; /
To drop the default condition-enable options combination from the policy based on a specific condition:
DECLARE policy_conditions DBMS_TSDP_PROTECT.POLICY_CONDITIONS; BEGIN policy_conditions (DBMS_TSDP_PROTECT.DATATYPE) := 'NUMBER'; DBMS_TSDP_PROTECT.DROP_POLICY ('redact_partial_cc', policy_conditions); END; /
You can use the predefined REDACT_AUDIT
policy to mask bind values, which can appear in trace files when an event is set.
Topics:
The bind values of the bind variables that are used in SQL statements can appear in audit records when auditing is configured. Similarly, bind values can appear in trace files when the appropriate event is set. Bind values can also appear when you query the V$SQL_BIND_DATA
dynamic view.
You can use the predefined REDACT_AUDIT
transparent sensitive data protection policy to mask bind values. This policy displays the data as an asterisk (*
) in audit records, trace files, and in V$SQL_BIND_DATA
view queries. By default the REDACT_AUDIT
policy is associated with every sensitive type in the database. When you identify a column as sensitive, by default, the REDACT_AUDIT
policy is enabled for it.
You can disable and enable the REDACT_AUDIT
policy, but you cannot alter or drop it.
Bind variables can be considered to be sensitive or "associated" with sensitive columns in comparison conditions, in SELECT
statements, and in INSERT
or UPDATE
operations.
Bind Variables and Sensitive Columns in the Expressions of Conditions
A Bind Variable and a Sensitive Column Appearing in the Same SELECT Item
Bind Variables in Expressions Assigned to Sensitive Columns in INSERT or UPDATE Operations
In comparison conditions, a sensitive column and a bind variable appear in the expressions that are being compared.
The examples in this section illustrate how bind variables and sensitive columns work with condition expressions.
In the following comparison query, the bind value in VAR1
is masked because VAR1
and SALARY
appear in the expression that is compared using the comparison condition >
.
SELECT EMPLOYEE_ID FROM HR.EMPLOYEES WHERE SALARY > :VAR1;
In the next comparison query, the bind values in VAR1
and VAR2
are masked because VAR1
, VAR2
, and SALARY
appear in expressions that use the comparison equality condition =
.
SELECT EMPLOYEE_ID FROM HR.EMPLOYEES WHERE SALARY + :VAR1 = TO_NUMBER(:VAR2, '9G999D99');
For floating point conditions, the sensitive column and the bind variable appear in the expression that is evaluated. In the following example, the bind value in VAR1
is masked because VAR1
and SALARY
appear in the expression for the IS NOT NAN
condition.
SELECT COUNT( ) FROM HR.EMPLOYEES WHERE (SALARY * :VAR1) IS NOT NAN;
In pattern matching conditions, the sensitive column and the bind variable appear as arguments. In the following example, the bind value in VAR1
is masked because VAR1
and LAST_NAME
are the arguments for the LIKE
condition.
SELECT LAST_NAME FROM HR.EMPLOYEES WHERE LAST_NAME LIKE :VAR1;
For BETWEEN
conditions, the sensitive column and the bind variable appear in the expressions that are arguments. In the following example, bind values in VAR1
and VAR2
are masked because VAR1
, VAR2
, and SALARY
appear in expressions that are arguments to the BETWEEN
condition.
SELECT EMPLOYEE_ID FROM HR.EMPLOYEES WHERE SALARY BETWEEN :VAR1 AND :VAR2;
In the next example, the sensitive column and the bind variable are the arguments of the IN
condition. Here, the bind values in VAR1
and VAR2
are masked because VAR1
, VAR2
, and SALARY
appear as arguments to the IN
condition.
SELECT COUNT( ) FROM HR.EMPLOYEES WHERE SALARY IN ( :VAR1, :VAR2);
When a condition has a nested subquery as an argument, the bind variables and sensitive columns that appear in the nested subquery are not considered to be associated with the condition. For example, suppose HR.EMPLOYEES.SALARY
is a sensitive column. In the following query, the SALARY
column and the subquery are expressions for the greater-than condition >
.
SELECT EMPLOYEE_ID FROM HR.EMPLOYEES WHERE SALARY > (SELECT SALARY FROM HR.EMPLOYEES WHERE MANAGER_ID = :VAR1);
However, variable VAR1
is associated with column MANAGER_ID
as variable VAR1
and MANAGER_ID
appears in expressions being compared using the condition =
. Because MANAGER_ID
is not a sensitive column, variable VAR1
is not considered sensitive. The variable VAR1
is not considered to be associated with the sensitive column SALARY
.
In the case of the logical conditions, model conditions, multiset conditions, XML conditions, compound conditions, IS OF
type conditions, and EXISTS
conditions, there can be no cases where a bind variable and a sensitive column are associated with each other. This is due to the structure or the nature of these conditions.
If a column in a SELECT
item is sensitive, then all the binds in the SELECT
item are considered sensitive.
For example, assume that HR.EMPLOYEES.SALARY
and HR.EMPLOYEES.COMMISSION_PCT
are sensitive columns. In the following query, the bind variable VAR1
is considered sensitive because it appears in the same SELECT
item as the sensitive column SALARY
, so its bind value is masked.
SELECT (SALARY * VAR1) AS BONUS AS FROM HR.EMPLOYEES WHERE EMPLOYEE_ID = :VAR2;
In the next example, the bind variable VAR1
is considered sensitive because it appears in the same SELECT
item as SALARY
. VAR2
is considered sensitive because it appears in the same SELECT
item as the sensitive column COMMISSION_PCT
.
SELECT (SALARY * VAR1), (COMMISSION_PCT * :VAR2), (EMPNO + :VAR3) AS BONUS AS FROM PAYROLL.ACCOUNT;
You can assign multiple bind variables to different columns in one INSERT
or UPDATE
statement.
Consider the following INSERT
statement:
INSERT INTO PAYROLL.ACCOUNT (ACCOUNT_NUM, SALARY) VALUES (:VAR1 * :VAR2 , :VAR3);
In this INSERT
statement, the following takes place:
The bind variables VAR1
and VAR2
appear in the expression (:VAR1 * :VAR2
), which is assigned to the sensitive column ACCOUNT_NUM
.
The bind variable VAR3
is assigned to sensitive column SALARY
.
Consider the following UPDATE
statement:
UPDATE PAYROLL.ACCOUNT SET ACCOUNT_NUM = :VAR1, SALARY = :VAR2;
In this UPDATE
statement, the following takes place:
The bind variable VAR1
is assigned to sensitive column ACCOUNT_NUM
.
The bind variable VAR2
is assigned to sensitive column SALARY
.
A bind variable that appears in a query on a view is considered sensitive if the view column references a sensitive column.
For example, suppose you identify the SALARY
column in the HR.EMPLOYEES
table as sensitive. Then you create the view EMPLOYEES_VIEW
as follows:
CREATE OR REPLACE VIEW HR.EMPLOYEES_VIEW AS SELECT * FROM HR.EMPLOYEES;
When a user references the SALARY
column from this view in a SQL statement, any bind variable that has been associated with the SALARY
column is considered sensitive and its bind value then masked.
SELECT EMPLOYEE_ID FROM HR.EMPLOYEES_VIEW WHERE SALARY = :VAR1;
In this case, the bind variable VAR1
is masked because it is associated with the HR.EMPLOYEES_VIEW.SALARY
column, which references the sensitive column HR.EMPLOYEES.SALARY
.
By default, the REDACT_AUDIT
policy is enabled for all sensitive columns. You can disable it for a specific sensitive column or all sensitive columns, and when needed, re-enable it. Remember that you cannot alter or delete the REDACT_AUDIT
policy.
Example 11-8 shows how to disable the REDACT_AUDIT
policy for the SALARY
column of HR.EMPLOYEES
.
Example 11-8 Disabling the REDACT_AUDIT Policy for One Sensitive Column
BEGIN DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN( schema_name => 'HR', table_name => 'EMPLOYEES', column_name => 'SALARY', policy => 'REDACT_AUDIT'); END; /
Example 11-8 shows how to disable the REDACT_AUDIT
policy for all sensitive columns in the current database.
Example 11-9 Disabling the REDACT_AUDIT Policy for All Columns in the Database
BEGIN DBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN( policy => 'REDACT_AUDIT'); END; /
Example 11-8 shows how to re-enable the REDACT_AUDIT
policy for the SALARY
column of HR.EMPLOYEES
.
Example 11-10 Enabling the REDACT_AUDIT Policy for One Sensitive Column
BEGIN DBMS_TSDP_PROTECT.ENABLE_PROTECTION_COLUMN( schema_name => 'HR', table_name => 'EMPLOYEES', column_name => 'SALARY', policy => 'REDACT_AUDIT'); END; /
Example 11-8 shows how to enable the REDACT_AUDIT
policy for all sensitive columns in the current database.
You can use Oracle Data Redaction features with transparent sensitive data protection policies by using the Data Redaction function types, function parameters, and expressions in the TSDP policy definition.
For example, you can set the enable the TSDP policy to use FULL
or PARTIAL
data redaction. This chapter uses Data Redaction for examples of managing TSDP policies.
See Also:
"Creating Transparent Sensitive Data Protection Policies" for an example of how to create TSDP policies that use Data Redaction function types
Oracle Database Advanced Security Guide for details about Oracle Data Redaction
The transparent sensitive data protection and Oracle Virtual Private Database procedures enable you to combine the protections of these two features.
Topics:
About Using TSDP Policies with Oracle Virtual Private Database Policies
DBMS_RLS.ADD_POLICY Parameters That Are Used for TSDP Policies
Tutorial: Creating a TSDP Policy That Uses Virtual Private Database Protection
You can incorporate Oracle Virtual Private Database protection with transparent sensitive data protection policies.
This feature works as follows:
You create a VPD policy function with a suitable predicate. Later on, when you create the TSDP policy, you will refer to this VPD policy function by using the policy_function
setting of the DBMS_RLS.ADD_POLICY
procedure for the feature_options
parameter of the DBMS_TSDP_PROTECT.ADD_POLICY
procedure.
See "Function to Generate the Dynamic WHERE Clause" for more information about VPD functions.
You create a TSDP policy with the necessary VPD settings similar to the VPD policy function.
The TSDP policy uses parameter settings from the DBMS_RLS.ADD_POLICY
procedure to provide VPD protection. Table 11-1 lists these parameters. Be aware that parameters from the DBMS_RLS.ADD_GROUPED_POLICY
policy are not supported.
You associate the TSDP policy with the necessary sensitive types by using the DBMS_TSDP_PROTECT.ASSOCIATE_POLICY
procedure.
You then enable TSDP protection by using any of the DBMS_TSDP_PROTECT_ENABLE_PROTECTION_
* procedures.
You enable the TSDP policy. At this point, Oracle Database creates an internal VPD policy that uses the function that you created in Step 1.
The name of the internal policy begins with ORA$VPD
followed by an identifier (for example, ORA$VPD_6J6L3RSJSN2VAN0XF)
. You can find this policy by querying the POLICY_NAME
column of the DBA_POLICIES
data dictionary view.
When users query the table, the output for the column is based on both the VPD protections and the TSDP policy that are now in place.
These protections remain in place until you disable the TSDP policy for this column. At that point, Oracle Database automatically drops the internal VPD policy, because it is no longer needed. If you reenable the TSDP policy, then the internal VPD policy is recreated.
Table 11-1 describes the DBMS_RLS.ADD_POLICY
parameters that are permissible in the FEATURE_OPTIONS
parameter when you use the DBMS_TSDP_PROTECT.ADD_POLICY
or DBMS_TSDP_PROTECT.ALTER_POLICY
procedure.
Table 11-1 DBMS_RLS.ADD_POLICY Parameters Used for TSDP Policies
Parameter | Description | Default |
---|---|---|
|
Schema of the policy function (current default schema, if |
|
|
Name of a function that generates a predicate for the policy. If the function is defined within a package, then you must include the name of the package (for example, |
|
|
Statement types to which the policy applies. It can be any combination of |
|
|
Optional argument for |
|
|
If you set this value to |
|
|
Default is |
|
|
Default is |
|
|
If you specify this parameter, then transparent sensitive data protection inputs the sensitive column on which the protection is enabled to the Allowed values are for
|
|
This tutorial demonstrates how to incorporate Oracle Virtual Private Database protection with a transparent sensitive data protection policy. In this tutorial, you will create sample users, identify sensitive columns, create an Oracle Virtual Private Database function, and then create and enable a transparent sensitive data protection policy. After you test the policy, you can remove the tutorial components if you do not need them.
Step 4: Create and Enable a Transparent Sensitive Data Protection Policy
Step 5: Test the Transparent Sensitive Data Protection Policy
First, you must create a sample user account and then grant this user the appropriate privileges.
Log into the database instance as user SYS
with the SYSDBA
administrative privilege.
sqlplus sys as sysdba
Enter password: password
If you are using a multitenant environment, then connect to the appropriate pluggable database (PDB).
For example:
CONNECT SYS@hrpdb AS SYSDBA
Enter password: password
To find the available PDBs, query the DBA_PDBS
data dictionary view. To check the current PDB, run the show con_name
command.
Create the following user accounts:
GRANT CREATE SESSION TO hr_appuser IDENTIFIED BY password; GRANT CREATE SESSION TO tsdp_admin IDENTIFIED BY password;
Replace password
with a password that is secure. See "Minimum Requirements for Passwords" for more information.
Grant user tsdp_admin
the following privileges:
GRANT CREATE PROCEDURE TO tsdp_admin; GRANT EXECUTE ON DBMS_TSDP_MANAGE TO tsdp_admin; GRANT EXECUTE ON DBMS_TSDP_PROTECT TO tsdp_admin; GRANT EXECUTE ON DBMS_RLS to tsdp_admin;
Connect as user SCOTT
.
CONNECT SCOTT -- Or, CONNECT SCOTT@hrpdb Enter password: password
Grant the hr_appuser
the READ
object privilege for the EMP
table.
GRANT READ ON EMP TO hr_appuser;
As the sample user tsdp_admin
, you are ready to identify sensitive columns to protect.
Connect as user tsdp_admin
.
CONNECT tsdp_admin -- Or, CONNECT tsdb_admin@hrpdb Enter password: password
Create the salary_type
sensitive type:
BEGIN DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE ( sensitive_type => 'salary_type', user_comment => 'Type for SCOTT.EMP column'); END; /
Associate the salary_type
sensitive type with the SCOTT.EMP
table.
BEGIN DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN ( schema_name => 'SCOTT', table_name => 'EMP', column_name => 'SAL', sensitive_type => 'salary_type', user_comment => 'Sensitive column addition of SALARY_TYPE'); END; /
Next, you are ready to create the Oracle Virtual Private Database policy function that Transparent Sensitive Data Protection will associate with the VPD policy that will be automatically created when you enable the TSDP policy.
To create the VPD policy function, use the CREATE OR REPLACE FUNCTION
procedure, as follows:
CREATE OR REPLACE FUNCTION vpd_function ( v_schema IN VARCHAR2, v_objname IN VARCHAR2) RETURN VARCHAR2 AS BEGIN RETURN 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''HR_APPUSER'''; END vpd_function; /
After you have created the VPD policy function, you can associate it with a transparent sensitive data protection policy.
Create the Transparent Sensitive Data Protection policy.
DECLARE vpd_feature_options DBMS_TSDP_PROTECT.FEATURE_OPTIONS; policy_conditions DBMS_TSDP_PROTECT.POLICY_CONDITIONS; BEGIN vpd_feature_options ('policy_function') := 'vpd_function'; vpd_feature_options ('sec_relevant_cols_opt') := 'DBMS_RLS.ALL_ROWS'; dbms_tsdp_protect.add_policy('tsdp_vpd', DBMS_TSDP_PROTECT.VPD, vpd_feature_options, policy_conditions); END; /
In this example, the vpd_feature_options
parameter refers to the sec_relevant_cols_opt
parameter from the DBMS_RLS.ADD_POLICY
procedure. When the TSDP policy is enabled, the VPD policy that is automatically created will have its sec_relevant_cols
parameter (of DBMS_RLS.ADD_POLICY
) set to the name of the sensitive column on which TSDP enables the VPD policy. If you had not used the sec_relevant_cols_opt
parameter, then TSDP would not have used the DBMS_RLS.ADD_POLICY
sec_relevant_cols_opt
parameter.
Associate the tsdp_vpd1
TSDP policy with the salary_type
sensitive type.
BEGIN DBMS_TSDP_PROTECT.ASSOCIATE_POLICY( policy_name => 'tsdp_vpd', sensitive_type => 'salary_type', associate => TRUE); END; /
Enable protection to enforce the Virtual Private Database policy on all columns identified as SALARY_TYPE
:
BEGIN DBMS_TSDP_PROTECT.ENABLE_PROTECTION_TYPE( sensitive_type => 'salary_type'); END; /
Now, you are ready to test the transparent sensitive data protection policy.
Connect as user hr_appuser
.
CONNECT hr_appuser -- Or, CONNECT hr_appuser@hrpdb
Enter password: password
Query the SCOTT.EMP
table as follows:
SELECT SAL, COMM, EMPNO FROM SCOTT.EMP;
The following output appears:
SAL COMM EMPNO --------- ------ ---------- 800 7369 1600 300 7499 1250 500 7521 2975 7566 1250 1400 7654 2850 7698 2450 7782 3000 7788 5000 7839 1500 0 7844 1100 7876 950 7900 3000 7902 1300 7934 14 rows selected.
The vpd_function
function enables user hr_appuser
to see the salaries in the SAL
column of the EMP
table.
Connect as user SCOTT
and then perform the same query.
CONNECT SCOTT -- Or, CONNECT SCOTT@hrpdb Enter password: password SELECT SAL, COMM, EMPNO FROM SCOTT.EMP;
The following output appears:
SAL COMM EMPNO --------- ------ ---------- 7369 300 7499 500 7521 7566 1400 7654 7698 7782 7788 7839 0 7844 7876 7900 7902 7934 14 rows selected.
Even though SCOTT
owns the EMP
table, the vpd_function
function prevents him from seeing the salaries in the SAL
column of this table
If you no longer need the components of this tutorial, then you can remove them.
Connect as user tsdp_admin
.
CONNECT tsdp_admin -- Or, CONNECT tsdp_admin@hrpdb Enter password: password
Execute the following statements in the order shown.
BEGIN DBMS_TSDP_MANAGE.DROP_SENSITIVE_COLUMN ( schema_name => 'SCOTT', table_name => 'EMP', column_name => 'SAL'); END; /
BEGIN DBMS_TSDP_MANAGE.DROP_SENSITIVE_TYPE( sensitive_type => 'salary_type'); END; / BEGIN DBMS_TSDP_PROTECT.DROP_POLICY( policy_name => 'tsdp_vpd'); END; /
Connect as user SYSTEM
.
CONNECT SYSTEM -- Or, CONNECT SYSTEM@hrpdb Enter password: password
Drop the tsdp_admin
and hr_appuser
accounts.
DROP USER tsdp_admin CASCADE; DROP USER hr_appuser
Table 11-2 describes data dictionary views that you can use to find information about transparent sensitive data protection policies. Before you can use these views, you must be granted the SELECT_CATALOG_ROLE
role.
Table 11-2 Transparent Sensitive Data Protection Views
View | Description |
---|---|
|
Describes discovery import information with regard to transparent sensitive data protection policies |
|
Describes the sensitive column types that have been defined for the current database |
|
Describes the sensitive columns in the database |
|
Shows information regarding the errors encountered during import of discovery result. It shows information with regard to the error code, schema name, table name, column name, and sensitive type. |
|
Describes the transparent sensitive data protection policy and condition mapping. This view also lists the property-value pairs for the condition. |
|
Shows the transparent sensitive data protection policy security feature mapping. (At this time, only Oracle Data Redaction and Oracle Virtual Private Database are supported.) |
|
Describes the parameters of transparent sensitive data protection policies |
|
Shows the list of columns that have been protected through transparent sensitive data protection |
|
Shows the policy to sensitive column type mapping |